<p>Using remote artifacts without integrity checks can lead to the unexpected execution of malicious code in the application.</p>
<p>On the client side, where front-end code is executed, malicious code could:</p>
<ul>
  <li> impersonate users' identities and take advantage of their privileges on the application. </li>
  <li> add quiet malware that monitors users' session and capture sensitive secrets. </li>
  <li> gain access to sensitive clients' personal data. </li>
  <li> deface, or otherwise affect the general availability of the application. </li>
  <li> mine cryptocurrencies in the background. </li>
</ul>
<p>Likewise, a compromised software piece that would be deployed on a server-side application could badly affect the application’s security. For
example, server-side malware could:</p>
<ul>
  <li> access and modify sensitive technical and business data. </li>
  <li> elevate its privileges on the underlying operating system. </li>
  <li> Use the compromised application as a pivot to attack the local network. </li>
</ul>
<p>By ensuring that a remote artifact is exactly what it is supposed to be before using it, the application is protected from unexpected changes
applied to it before it is downloaded.<br> Especially, integrity checks will allow for identifying an artifact replaced by malware on the publication
website or that was legitimately changed by its author, in a more benign scenario.</p>
<p>Important note: downloading an artifact over HTTPS only protects it while in transit from one host to another. It provides authenticity and
integrity checks <strong>for the network stream</strong> only. It does not ensure the authenticity or security of the artifact itself.</p>
<h2>Ask Yourself Whether</h2>
<ul>
  <li> The artifact is a file intended to execute code. </li>
  <li> The artifact is a file that is intended to configure or affect running code in some way. </li>
</ul>
<p>There is a risk if you answered yes to any of these questions.</p>
<h2>Recommended Secure Coding Practices</h2>
<p>To check the integrity of a remote artifact, hash verification is the most reliable solution. It does ensure that the file has not been modified
since the fingerprint was computed.</p>
<p>In this case, the artifact’s hash must:</p>
<ul>
  <li> Be computed with a secure hash algorithm such as <code>SHA512</code>, <code>SHA384</code> or <code>SHA256</code>. </li>
  <li> Be compared with a secure hash that was <strong>not</strong> downloaded from the same source. </li>
</ul>
<p>To do so, the best option is to add the hash in the code explicitly, by following <a
href="https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity#tools_for_generating_sri_hashes">Mozilla’s official documentation on
how to generate integrity strings</a>.</p>
<p><strong>Note: Use this fix together with version binding on the remote file. Avoid downloading files named "latest" or similar, so that the
front-end pages do not break when the code of the latest remote artifact changes.</strong></p>
<h2>Sensitive Code Example</h2>
<p>The following code sample uses neither integrity checks nor version pinning:</p>
<pre>
let script = document.createElement("script");
script.src = "https://cdn.example.com/latest/script.js"; // Sensitive
script.crossOrigin = "anonymous";
document.head.appendChild(script);
</pre>
<h2>Compliant Solution</h2>
<pre>
let script = document.createElement("script");
script.src = "https://cdn.example.com/v5.3.6/script.js";
script.integrity = "sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC";
script.crossOrigin = "anonymous";
document.head.appendChild(script);
</pre>
<h2>See</h2>
<ul>
  <li> OWASP - <a href="https://owasp.org/Top10/A08_2021-Software_and_Data_Integrity_Failures/">Top 10 2021 Category A8 - Software and Data Integrity
  Failures</a> </li>
  <li> CWE - <a href="https://cwe.mitre.org/data/definitions/353">CWE-353 - Missing Support for Integrity Check</a> </li>
  <li> OWASP - <a href="https://owasp.org/www-project-top-ten/2017/A6_2017-Security_Misconfiguration">Top 10 2017 Category A6 - Security
  Misconfiguration</a> </li>
  <li> <a href="https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity">developer.mozilla.org</a> - Subresource Integrity </li>
  <li> <a href="https://en.wikipedia.org/wiki/Watering_hole_attack">Wikipedia, Watering Hole Attacks</a> </li>
</ul>
